Laravel CORS into framework v 9

Stefan Bogdanescu

Founder & Senior Architect · 2026-06-29

Laravel Company

Mastering Cross-Origin Resource Sharing in Laravel 9+ with fruitcake/laravel-cors

When building modern, API-driven applications with Laravel, one of the most common stumbling blocks developers encounter is related to Cross-Origin Resource Sharing (CORS). As you experienced when setting up your demo routes, receiving the error: "Access to XMLHttpRequest at 'http://localhost:8000/demo' from origin 'null' has been blocked by CORS policy," you are running into a fundamental security mechanism enforced by web browsers.

This post will dive deep into how to correctly integrate CORS handling into your Laravel 9+ framework, focusing on the widely accepted fruitcake/laravel-cors package and demonstrating exactly how to ensure your API endpoints like /api/list and /api/profiles are accessible across different domains.

Understanding the CORS Challenge in Laravel

CORS is not a feature built directly into the core PHP logic; it is a browser security policy that dictates which domains are allowed to make requests to a server. To satisfy this policy, the server (your Laravel application) must explicitly send specific HTTP headers, most importantly the Access-Control-Allow-Origin header.

In a standard Laravel setup, we don't typically want every request to be wide open, but rather controlled based on where the frontend application resides. This is where packages like fruitcake/laravel-cors become indispensable. As part of building robust systems, understanding how frameworks manage dependencies—like the effort behind integrating components into the main Laravel structure—is crucial for maintaining clean, scalable code, much like adhering to the principles laid out by the Laravel team at https://laravelcompany.com.

Step-by-Step Implementation of CORS

Integrating CORS involves two primary steps: installing the package and configuring the necessary settings in your application.

1. Installation

First, ensure you have installed the package via Composer:

composer require fruitcake/laravel-cors

2. Configuration

After installation, you need to configure the CORS rules. This is done by modifying the configuration file located at config/cors.php. This file dictates which origins (domains) are permitted to access your API resources and what methods (GET, POST, PUT, DELETE) are allowed.

For development purposes, you might allow all origins. For production, it is highly recommended to specify only your frontend domain(s).

Here is an example of a typical configuration setup in config/cors.php:

<?php

return [
    /*
     * Allow specific origins to access the API. 
     * Use '*' for development, but be restrictive for production.
     */
    'paths' => ['api/*', 'sanctum/csrf-cookie'],

    'allowed_origins' => [
        'http://localhost:3000', // Example: Your frontend running on port 3000
        'http://127.0.0.1:5500',
    ],

    'allowed_methods' => ['*'], // Allows all methods (GET, POST, PUT, DELETE, etc.)

    'allowed_headers' => ['*'], // Allows all headers

    'exposed_headers' => ['*'], // Headers exposed to the client

    'max_age' => 3600, // How long the preflight response is cached (in seconds)

    'supports_credentials' => true, // Important if you are sending cookies or authorization headers

];

3. Applying CORS Middleware

The final, crucial step is ensuring that this configuration is applied globally. The fruitcake/laravel-cors package registers itself as a middleware group. When installed correctly, it automatically hooks into the Laravel pipeline, allowing any request hitting your API routes (like /api/list or /api/profiles) to be checked against these CORS rules before the response is sent back.

By setting up this middleware correctly, you ensure that when your frontend attempts to fetch data from endpoints like api/list, Laravel will correctly inject the necessary Access-Control-Allow-Origin header, resolving the browser's security block and allowing your application to communicate seamlessly. This approach ensures that your API adheres to modern web standards while maintaining the clean architecture principles emphasized by the Laravel framework.

Conclusion

Implementing CORS in a Laravel application is a matter of configuration and middleware integration rather than complex custom coding. By leveraging established packages like fruitcake/laravel-cors and carefully defining your allowed origins and methods in config/cors.php, you can quickly resolve cross-origin issues for all your API endpoints, including those serving data from /api/list and /api/profiles. Always remember to secure your configuration, especially when moving from local development to production environments, ensuring that only trusted domains are granted access.